One particular area of interest is Chinese-made EVs, which dominate the global market. This blog post delves into the privacy and security risks associated with these vehicles, drawing insights from a recent investigation.
In 2022, Tor Indstøy purchased a Chinese electric vehicle for $69,000 to accommodate his growing family.
Indstøy had an ulterior motivation for purchasing an ES8, a luxury SUV from Shanghai-based NIO Inc. The Norwegian cybersecurity specialist wanted to investigate the EV and see how much data it collects and transmits back to China.
He co-founded Project Lion Cage with several industry acquaintances to examine his SUV and release the findings.
Since its inception in July 2023, Indstøy and his crew have provided nearly a dozen status reports. These have largely consisted of them attempting to comprehend the enormously complex vehicle and the operation of its numerous components.
In a fascinating experiment, Norwegian cybersecurity researcher Tor Indstøy purchased a $69,000 Chinese electric vehicle—an ES8 luxury SUV manufactured by Shanghai-based NIO Inc. His motive? To dissect the vehicle, uncover its data practices, and shed light on potential risks.
The project, aptly named “Project Lion Cage,” aims to answer critical questions about data privacy and security in EVs.
Electric cars are not mere transportation devices; they are rolling data centers. Unlike their gas-powered counterparts, EVs rely heavily on electronic components—up to 2,000 to 3,000 chips per vehicle.
These chips control everything from battery management to infotainment systems. Each chip can collect and transmit data, creating a vast information flow network within the vehicle.
However, studying EVs is also a challenge. Traditional cybersecurity tools designed for PCs and servers need to improve when dealing with the intricate architecture of electric cars. Researchers like Indstøy face unique challenges as they navigate this uncharted territory.
Indstøy and his team have identified potential areas of concern for the NIO ES8, but no major revelations have been made.
One example is how data gets into and out of the vehicle. According to the researchers, China received over 90% of the communications, which contained data ranging from simple voice commands to the car to the vehicle's geographical location. Other destinations included Germany, the United States, the Netherlands, Switzerland, and others.
Indstøy suggests that the ambiguity of some communications could be a source of concern. For example, the researchers discovered that the car was regularly downloading a single, unencrypted file from a nio.com internet address, but they have yet to determine its purpose.
China’s dominance in the EV market raises geopolitical concerns. With nearly 60% of global EV sales happening in China, the data collected by these vehicles becomes a strategic asset.
Governments worry about potential espionage, especially given the close ties between Chinese companies and the state. The Biden administration’s cautious approach to Chinese-made EVs reflects these concerns.
The Ministry of Home Affairs (MHA) has raised an alarm regarding a spike in cybercrime, where fraudsters impersonate law enforcement officers to extort money from unsuspecting victims. Collaborating with Microsoft, the Indian Cyber Crime Coordination Centre (I4C) has already taken action against over 1,000 Skype IDs associated with such fraudulent activities.
In a recent statement, the MHA cautioned the public against a sophisticated online scam staged by international syndicates. These criminals, masquerading as police personnel or representatives of agencies like the Central Bureau of Investigation (CBI) and the Reserve Bank of India (RBI), target individuals with false accusations of involvement in illegal activities or accidents. Subsequently, they demand payment to avoid legal consequences or secure the release of reportedly detained family members.
The way these fraudsters map out this course of action involves contacting victims and claiming that they have received or are about to receive a parcel containing illicit items such as drugs or fake passports. In some cases, they coerce victims into participating in simulated "digital arrests," where they are forced into appearing on video calls, lending an air of authenticity to the ruse. To support their credibility, these criminals operate from mock police stations and government offices, donning uniforms to deceive their targets.
Instances of individuals falling victim to these scams and losing significant sums of money have been reported across the country. The MHA emphasised that this form of organised cybercrime poses an unprecedented threat and is perpetrated by transnational criminal networks.
The I4C, established under the MHA's purview, serves as the focal point for combating cybercrime in India. Through its Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS), the I4C has intercepted and safeguarded over ₹600 crore from falling into the hands of online fraudsters. This online platform enables rapid reporting of financial cybercrimes, facilitating coordinated action among law enforcement agencies and financial institutions nationwide.
The MHA underscored its collaboration with various ministries, regulatory bodies like the RBI, and other stakeholders to counteract these fraudulent activities. Additionally, the I4C extends technical support and guidance to state and union territory police forces for identifying and investigating cybercrime cases.
To address this issue effectively, the I4C, in partnership with Microsoft, has initiated measures to block Skype IDs, SIM cards, mobile devices, and mule accounts used by cybercriminals. Furthermore, through its social media platform "Cyberdost," the I4C disseminates informational materials, including infographics and videos, to raise awareness and empower citizens to recognise and report cybercrimes promptly.
Given the delicate state of these scams, the MHA urges citizens to remain vigilant and promptly report any suspicious calls or online activities to the designated cyber crime helpline (1930) or the official website (www.cybercrime.gov.in) for assistance and intervention. By fostering a culture of awareness and heedful reporting, individuals can play a critical role in safeguarding themselves and their communities against cyber threats.
It all started on May 5 at 10 a.m., when Rajkumar (name changed), an Indiranagar resident and retired MNC executive, got a call from 8861447031. The caller claimed as a 'FedEx' logistics executive and supplied Rajkumar's Aadhaar and mobile numbers.
He said that a package shipped to Taiwan under Shankar's name contained five passports, a laptop, 3kg of clothing, and 150 grams of MDMA. He forwarded the phone to a "police officer" after claiming a case against him had been filed at Mumbai's Andheri East cyber police station.
A man claimed to be Rajesh Pradhan, DCP (Cybercrime), Andheri and informed Shankar that he was under digital arrest until the inquiry was completed. They warned to arrest him if he left his residence and instructed him to isolate himself in a room. Later, they made a video call to him, and Shankar noticed a police station in the backdrop and assumed he was speaking with actual cops.
Pradhan informed Rajkumar that this was a high-profile and sensitive matter involving VIPs. He was told not to mention their call with anybody and threatened with arrest if he did not obey their instructions.
The con artist added that they discovered a bank account opened in his name that was being used for money laundering. They allegedly examined the charges against him, which included money laundering, NDPS, and other criminal actions, before offering to assist him.
To protect the account, he was ordered to move the full balance in his bank accounts to Reserve Bank of India (RBI) accounts.
After promising to repay him after his transactions were verified, they convinced Shankar to send money to their accounts in several transactions.
After transferring Rs 3.8 crore, Rajkumar was promised that the return would be in his account within 30 minutes of verification and the connection was discontinued. Rajkumar only realized he had been duped after the crooks went mute.
According to Kuldeep Kumar Jain, DCP (East), Shankar submitted a report on May 13, and they were able to freeze Rs 9 lakh within two days.
A case has been filed under the Information Technology Act and IPC section 420 (cheating and dishonestly inducing delivery of property).
According to Jain, such claims should not be taken seriously. The police force has no idea of digital arrests or online (virtual) investigations. If you receive such calls, simply disconnect and report them to your nearest police station or the 1930 cyber helpline. If you lose any money, you should contact the police right away. Delays in filing complaints will have an impact on recovery rates.
Cybercriminals have adopted a highly intricate technique known as DNS tunnelling to carry out malicious activities such as tracking victims and scanning network vulnerabilities, posing a significant threat to cybersecurity. DNS tunnelling involves the encoding of data or commands within DNS queries, effectively transforming DNS into a covert communication channel, which can be challenging for traditional security measures to detect.
Hackers leverage various encoding methods, such as Base16 or Base64, to conceal their digital footprints within DNS records, including TXT, MX, CNAME, and Address records. This covert communication method allows them to bypass network firewalls and filters, using it for command and control operations and VPN activities, thereby upgrading their ability to evade detection by security tools.
The Palo Alto Networks' Unit 42 security research team has recently exposed two distinct campaigns that exploit DNS tunnelling for malicious purposes. The first campaign, dubbed "TrkCdn," focuses on tracking victim interactions with phishing emails, enabling attackers to evaluate their strategies and confirm the delivery of malicious payloads. Additionally, a similar campaign named "SpamTracker" utilises DNS tunnelling to track the delivery of spam messages, highlighting the versatility of this technique in cybercriminal operations.
Furthermore, the second campaign, identified as "SecShow," employs DNS tunnelling for network scanning purposes. Attackers embed IP addresses and timestamps into DNS queries to map out network layouts and identify potential configuration flaws that can be exploited for infiltration, data theft, or denial-of-service attacks. This demonstrates the advancing tactics of cybercriminals in exploiting DNS tunnelling for a wide range of fraudulent activities.
DNS tunnelling provides threat actors with several advantages, including bypassing security tools, avoiding detection, and maintaining operational flexibility, making it a preferred method for carrying out cyber-attacks. To alleviate this growing threat, organisations are advised to implement DNS monitoring and analysis tools to detect unusual traffic patterns and peculiarities promptly. Additionally, limiting DNS resolvers to handle only necessary queries can reduce the risk of DNS tunnelling misuse, enhancing overall cybersecurity defences.
The discovery of hackers exploiting DNS tunnelling focuses on the importance of staying careful against the pervasive nature of cyber threats and implementing robust cybersecurity measures to protect against potential attacks. By understanding the risks posed by DNS tunnelling and taking the required steps to mitigate them, organisations can effectively safeguard their networks and data.
Willy R. Vasquez, a security researcher at the University of Texas in Austin, uncovered the vulnerability, known as CVE-2024-27793. This vulnerability affects the CoreMedia framework, which processes media samples and manages media data queues in iTunes.
A major security flaw in the iTunes app for Windows 10 and Windows 11 users could have allowed malicious attackers to execute code remotely, Apple said in a support article published on May 8.
Willy R. Vasquez, a Ph.D. scholar and security expert at The University of Texas at Austin, discovered CVE-2024-27793 and contributed sandboxing code to the Firefox 117 web browser. The vulnerability, rated critical by the Common Vulnerability Scoring System v3, affects the CoreMedia framework, which provides the media pipeline used to process media samples and handle batches of media information, says Apple.
The flaw allows an attacker to execute arbitrary code by sending a maliciously crafted request during the file processing. It is critical to highlight that the attacker does not need physical access to the Windows PC, as the exploitation can be carried out remotely.
The CVSS v3 critical grade of 9.1 out of 10 is mostly due to the potential for remote code execution. The basic root of the flaw was found as inadequate checks inside the CoreMedia framework component, which Apple fixed with enhanced checks in the most recent release.
Based on the Vulnerability Database resource, CVE-2024-27793 can be leveraged remotely without authentication, although successful exploitation requires human involvement. This interaction could include clicking a link or visiting a website where CoreMedia processes the malicious file.
The ease of exploitation and potential impact of arbitrary code execution emphasize the seriousness of this issue. Users should upgrade their iTunes programs to the most recent version to protect themselves from any attacks exploiting this security weakness.
Here are some steps you can take to safeguard your system:
Cybercrime has transpired as a serious threat in India, prompting calls for comprehensive reforms and collaborative efforts from various stakeholders. Experts and officials emphasise the pressing need to address the evolving nature of cyber threats and strengthen the country's legal and regulatory framework to combat this menace effectively.
Former IPS officer and cybersecurity expert Prof Triveni Singh identified the necessity for fundamental changes in India's legal infrastructure to align with the pervasive nature of cybercrime. He advocates for the establishment of a national-level cybercrime investigation bureau, augmented training for law enforcement personnel, and the integration of cyber forensic facilities at police stations across the country.
A critical challenge in combating cybercrime lies in the outdated procedures for reporting and investigating such offences. Currently, victims often encounter obstacles when filing complaints, particularly if they reside outside India. Moreover, the decentralised nature of law enforcement across states complicates multi-jurisdictional investigations, leading to inefficiencies and resource depletion.
To streamline the process, experts propose the implementation of an independent online court system to expedite judicial proceedings for cybercrime cases, thereby eliminating the need for physical hearings. Additionally, fostering enhanced cooperation between police forces of different states and countries is deemed essential to effectively tackle cross-border cybercrimes.
Acknowledging the imperative for centralised coordination, proposals for the establishment of a national cybercrime investigation agency have been put forward. Such an agency would serve as a central hub, providing support to state police forces and facilitating collaboration in complex cybercrime cases involving multiple jurisdictions.
Regulatory bodies, notably the Reserve Bank of India (RBI), also play a crucial role in combatting financial cybercrimes. Experts urge the RBI to strengthen oversight of banks and enhance Know Your Customer (KYC) norms to prevent the misuse of accounts by cyber criminals. They should aim to utilise technologies like Artificial Intelligence (AI) to detect anomalous transaction patterns and consolidate efforts to identify and thwart cybercrime activities.
There is a growing consensus on the necessity for a comprehensive national cybersecurity strategy and legislation in India. Such initiatives would furnish a robust framework for addressing the omnipresent nature of this threat and safeguarding the country's cyber sovereignty.
The bottom line is putting a stop to cybercrime demands a concerted effort involving lawmakers, regulators, law enforcement agencies, financial institutions, and internet service providers. By enacting comprehensive reforms and fostering greater cooperation, India can intensify its cyber resilience and ensure a safer online environment for all.
In 2024, the time it takes to crack a password depends on various factors, including its length, complexity, and the resources available to the hacker. Gone are the days when a simple six-character password could provide adequate protection. With the increasing computational power of modern machines and the prevalence of sophisticated hacking techniques, such passwords can be cracked in mere seconds. In 2024, the gold standard for password security lies in lengthy, complex combinations of letters, numbers, and symbols.
So, how long does it take for a hacker to crack a password in 2024? The answer is not straightforward. It depends on the strength of the password and the methods employed by the hacker. For instance, a short, simple password consisting of only lowercase letters can be cracked almost instantly using a brute-force attack, where the hacker systematically tries every possible combination until the correct one is found.
However, longer and more complex passwords present a significantly greater challenge. In 2024, state-of-the-art hacking tools utilize advanced algorithms and techniques such as dictionary attacks, where common words and phrases are systematically tested, and rainbow tables, which are precomputed tables used to crack password hashes. These methods can significantly reduce the time it takes to crack a password, but they are still thwarted by sufficiently strong passwords.
The concept of password entropy plays a crucial role in determining its strength against cracking attempts. Password entropy measures the randomness or unpredictability of a password. A password with high entropy is more resistant to cracking because it is less susceptible to brute-force and dictionary attacks. In 2024, experts recommend using passwords with high entropy, achieved through a combination of length, complexity, and randomness.
To put things into perspective, let's consider an example. A randomly generated 12-character password consisting of uppercase and lowercase letters, numbers, and symbols has an extremely high entropy. Even with the most advanced cracking techniques available in 2024, it could take billions or even trillions of years to crack such a password using brute-force methods.
However, the human factor remains a significant vulnerability in password security. Despite the availability of password managers and education on password best practices, many people still choose weak passwords or reuse them across multiple accounts. This behavior provides hackers with ample opportunities to exploit security vulnerabilities and gain unauthorized access to sensitive information.
The time it takes for a hacker to crack a password in 2024 varies depending on factors such as password strength, hacking techniques, and computational resources. While advances in technology have empowered hackers with increasingly sophisticated tools, the key to effective password security lies in employing strong, unique passwords with high entropy. By staying vigilant and adopting best practices, individuals and organizations can fortify their defenses against malicious cyber threats in the digital age.
The Hong Kong College of Technology, which offers a government-subsidized Higher Diploma in Cybersecurity, announced last week that it was the victim of a ransomware attack by hackers in late February, during which several internal papers were taken and encrypted.
This was not a normal cyber attack; it was very targeted and distinctive. HKCT strongly opposes all forms of cybercrime and sincerely apologizes for the annoyance and disruption caused by this event, according to a Chinese statement.
It stated that victims would receive a free six-month "credit monitoring service" and "dark web monitoring service," but refused to identify the number of students or staff affected. According to media sources, the information first leaked on the dark web this week.
The Privacy Commissioner for Personal Data informed HKFP that the data breach affected around 8,100 students, whose personal information including names, identity card numbers, addresses, email addresses, and phone numbers were disclosed.
The commissioner stated that it was investigating the infraction. It encouraged all victims to change their passwords for online accounts, enable two-factor authentication, and be wary of any unusual phone calls or links sent to their email or phones.
Cyberattacks have increased on locals, including the technology park Cyberport and the private Union Hospital.
In April, the hospital's computer system was infected with LockBit ransomware, which caused partial operational paralysis, according to local media sites.
Last year, a hacker got Cyberport's network and maliciously encrypted server files. The hackers sought a ransom of $300,000. Cyperport failed to pay, and 400GB of stolen data was eventually leaked on the dark web, according to TVB.
The Consumer Council's computer system was hacked in September of last year, resulting in a data breach that included information on 289 people who had filed complaints with the council and some personnel and former staff.
After the Union Hospital hacking, Francis Fong, honorary president of the Hong Kong Information Technology Federation said that victims should not pay ransoms since hackers may still make stolen material public regardless of payment.
Fong advised all public and commercial institutions to upgrade their computer systems regularly to address vulnerabilities and improve security.